Drawing upon decades of experience, RAND provides research services, systematic analysis, and innovative thinking to a global clientele that includes government agencies, foundations, and private-sector firms.

The Pardee RAND Graduate School (PRGS.edu) is the largest public policy Ph.D. program in the nation and the only program based at an independent public policy research organization—the RAND Corporation.

Purchase

Purchase Print Copy

Research Questions

What capabilities exist to combat insider threats in government, industry, and academia?

What aspects of CE are being implemented in these sectors to address insider threats?

What are the costs and benefits of CE?

What aspects of CE could be implemented in the federal government in the future?

What are the potential cost savings stemming from implementing CE in the federal government?

The United States currently employs a periodic and aperiodic investigative and adjudicative security clearance process with origins in the Second World War. Information systems and data — e.g., financial, legal, travel — on individuals have improved dramatically since the creation of this process. This exploratory project examines various continuous evaluation (CE) approaches to detecting insider threats that are available to the U.S. government and assesses the relevance of these approaches to the challenges posed by such insider threats. The authors considered CE cost estimates, examined efficacy and best practices, and assessed some of the practicalities of employing CE.

This report defines CE as a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility. There are potential benefits from CE in effectiveness and cost over the current method of granting security clearances to personnel based on periodic reinvestigation and readjudication. While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period. While the process of CE would be new, the substance is not, and, thus, if executed properly, CE would be no more invasive than current processes.

Key Findings

The current investigation and adjudication process is time-consuming

There is a large backlog of investigations and periodic reinvestigations. As of 2018, there were approximately 416,000 unprocessed security clearance investigations and approximately 156,000 unprocessed periodic reinvestigations.

The Office of Personnel Management, the organization that has had primary security clearance investigating responsibility, has faced resource reductions.

There are limitations and challenges to using CE in the federal government

There is no commonly shared definition of insider threat across the government.

Neither CE nor insider threat has been defined in statute.

There are limited behavioral or technical data available to develop and deploy an effective and predictive CE monitoring tool.

There is no centralized or authorized facility to receive anonymous reporting streams for individuals in either cleared or uncleared populations.

There are privacy concerns for CE programs related to sharing personal or privileged individual data.

The cost over the long term for CE might be lower than the cost over the same period using current practices

While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period.

CE could be less invasive for the cleared population than current approaches

The substance of the data CE reviews is not new; only the frequency with which the data are reviewed is.

Recommendations

Establish a common definition of insider threat, such as "the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization or national security."

Establish a common definition of CE, such as "a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility."

Increase the frequency of continuous monitoring efforts surrounding the period of an employee's termination in both public- and private-sector CE programs.

Create a real-time reporting mechanism to supplement any future security clearance approach, including one involving CE.

Study standards and establish authorities for access to all relevant nonfederal information that could inform the CE tool, such as local criminal records, mental health information, and significant financial activity.

Prioritize resources and clearance reviews that present the most urgent investigative and adjudicative issues.

Fully implement security clearance reciprocity and suitability/fitness reciprocity among U.S. government departments and agencies and merge the security clearance and suitability/fitness programs and processes to improve coordination and gain maximum vetting value from collected data across programs, departments, and agencies.

Table of Contents

Chapter One

Introduction

Chapter Two

Insider Threat and Continuous Evaluation Defined

Chapter Three

Background: Addressing Insider Threats

Chapter Four

What Capabilities Exist to Combat Insider Threats?

Chapter Five

How Is Continuous Evaluation Implemented Today?

Chapter Six

Conclusion

Research conducted by

This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Defense Research Institute (NDRI), a federally funded research and development center (FFRDC) sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the Intelligence Community.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.

The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.